Loading ...
Sorry, an error occurred while loading the content.

SMTP-AUTH with crypt passwords in SQL backend

Expand Messages
  • Juan Miscaro
    Hi everybody, I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords in a SQL backend for a while now. I am trying to switch over from
    Message 1 of 8 , Jul 28, 2008
    View Source
    • 0 Attachment
      Hi everybody,

      I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords
      in a SQL backend for a while now. I am trying to switch over from
      cleartext to crypt in terms of my passwords stored in MySQL. I have
      things running for IMAP with crypt. For SMTP-AUTH I am using the same
      SQL table and password. I thought all I would need to do is edit my
      smtpd.conf file (point to the encrypted table column and specify crypt
      as password format) but I'm getting

      postfix/smtpd[6085]: warning: SASL authentication failure: Password
      verification failed
      postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL PLAIN
      authentication failed: authentication failure
      postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL LOGIN
      authentication failed: authentication failure

      Here is my smtpd.conf:

      pwcheck_method: auxprop
      auxprop_plugin: sql
      mech_list: PLAIN LOGIN

      #log_level: 2

      sql_engine: mysql
      sql_hostnames: localhost
      sql_database: mail
      sql_user: postfix
      sql_passwd: yeahright
      sql_select: SELECT crypt FROM virtual_users WHERE email = '%u@%r'
      sql_usessl: no
      password_format: crypt

      What am I missing?

      /juan
    • mouss
      ... you forgot to tell us what sasl implementatoin you use. I guess it s cyrus-sasl... ... cyrus-sasl does not support encrypted mysql passwords. try something
      Message 2 of 8 , Jul 28, 2008
      View Source
      • 0 Attachment
        Juan Miscaro wrote:
        > Hi everybody,
        >
        > I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords
        > in a SQL backend for a while now. I am trying to switch over from
        > cleartext to crypt in terms of my passwords stored in MySQL. I have
        > things running for IMAP with crypt. For SMTP-AUTH I am using the same
        > SQL table and password.

        you forgot to tell us what sasl implementatoin you use. I guess it's
        cyrus-sasl...

        > I thought all I would need to do is edit my
        > smtpd.conf file (point to the encrypted table column and specify crypt
        > as password format) but I'm getting
        >

        cyrus-sasl does not support encrypted mysql passwords. try something else.

        note that:
        - if you are using dovecot, then you'd better use dovecot as a sasl
        implementation
        - if you are using courier, then you'd better use authdaemon via
        cyrus-sasl.



        > postfix/smtpd[6085]: warning: SASL authentication failure: Password
        > verification failed
        > postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL PLAIN
        > authentication failed: authentication failure
        > postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL LOGIN
        > authentication failed: authentication failure
        >
        > Here is my smtpd.conf:
        >
        > pwcheck_method: auxprop
        > auxprop_plugin: sql
        > mech_list: PLAIN LOGIN
        >
        > #log_level: 2
        >
        > sql_engine: mysql
        > sql_hostnames: localhost
        > sql_database: mail
        > sql_user: postfix
        > sql_passwd: yeahright
        > sql_select: SELECT crypt FROM virtual_users WHERE email = '%u@%r'
        > sql_usessl: no
        > password_format: crypt
        >
        > What am I missing?

        you missed the fact that we have no idea about your configuration. you
        are asking questions as though we all have similar configs. we don't.
      • Patrick Ben Koetter
        ... 1. The so called FROST patch, which adds functionality to Cyrus SASL to have it verify crypted MySQL password. You patch, and you loose shared-secret
        Message 3 of 8 , Jul 28, 2008
        View Source
        • 0 Attachment
          * Juan Miscaro <jmiscaro@...>:
          > Hi everybody,
          >
          > I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords
          > in a SQL backend for a while now. I am trying to switch over from
          > cleartext to crypt in terms of my passwords stored in MySQL. I have
          > things running for IMAP with crypt. For SMTP-AUTH I am using the same
          > SQL table and password. I thought all I would need to do is edit my
          > smtpd.conf file (point to the encrypted table column and specify crypt
          > as password format) but I'm getting
          >
          > postfix/smtpd[6085]: warning: SASL authentication failure: Password
          > verification failed
          > postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL PLAIN
          > authentication failed: authentication failure
          > postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL LOGIN
          > authentication failed: authentication failure
          >
          > Here is my smtpd.conf:
          >
          > pwcheck_method: auxprop
          > auxprop_plugin: sql
          > mech_list: PLAIN LOGIN
          >
          > #log_level: 2
          >
          > sql_engine: mysql
          > sql_hostnames: localhost
          > sql_database: mail
          > sql_user: postfix
          > sql_passwd: yeahright
          > sql_select: SELECT crypt FROM virtual_users WHERE email = '%u@%r'
          > sql_usessl: no
          > password_format: crypt
          >
          > What am I missing?

          1. The so called FROST patch, which adds functionality to Cyrus SASL to have
          it verify crypted MySQL password. You patch, and you loose shared-secret
          mechanism functionality and are left to use plaintext passwords only.

          2. You don't patch, but don't use the sql auxprop_plugin. Instead you
          configure saslauthd to use PAM and PAM to use the Mysql Plugin. Again, you
          gain crypted passwords and loose shared-secret mechanisms.

          p@rick

          --
          The Book of Postfix
          <http://www.postfix-book.com>
          saslfinger (debugging SMTP AUTH):
          <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
        • Juan Miscaro
          ... Yes, I m using Cyrus-SASL. ... Ah. That would be nice! I am indeed running Courier. I updated smtpd.conf and everything seems to be working. Thanks! ...
          Message 4 of 8 , Jul 28, 2008
          View Source
          • 0 Attachment
            2008/7/28 mouss <mouss@...>:
            > Juan Miscaro wrote:
            >>
            >> Hi everybody,
            >>
            >> I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords
            >> in a SQL backend for a while now. I am trying to switch over from
            >> cleartext to crypt in terms of my passwords stored in MySQL. I have
            >> things running for IMAP with crypt. For SMTP-AUTH I am using the same
            >> SQL table and password.
            >
            > you forgot to tell us what sasl implementatoin you use. I guess it's
            > cyrus-sasl...

            Yes, I'm using Cyrus-SASL.

            >> I thought all I would need to do is edit my
            >> smtpd.conf file (point to the encrypted table column and specify crypt
            >> as password format) but I'm getting
            >>
            >
            > cyrus-sasl does not support encrypted mysql passwords. try something else.

            :(

            > - if you are using courier, then you'd better use authdaemon via cyrus-sasl.

            Ah. That would be nice! I am indeed running Courier.

            I updated smtpd.conf and everything seems to be working. Thanks!

            > you missed the fact that we have no idea about your configuration. you are
            > asking questions as though we all have similar configs. we don't.

            My apologies.

            /juan
          • kj
            ... I m using libsasl2 in Debian Etch (not sure if this is Cyrus or not, none of the included documents specify) but either ways, I use sasl with pam and pam
            Message 5 of 8 , Aug 5, 2008
            View Source
            • 0 Attachment
              Juan Miscaro wrote:
              > Hi everybody,
              >
              > I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords
              > in a SQL backend for a while now. I am trying to switch over from
              > cleartext to crypt in terms of my passwords stored in MySQL. I have
              > things running for IMAP with crypt. For SMTP-AUTH I am using the same
              > SQL table and password. I thought all I would need to do is edit my
              > smtpd.conf file (point to the encrypted table column and specify crypt
              > as password format) but I'm getting
              >
              > postfix/smtpd[6085]: warning: SASL authentication failure: Password
              > verification failed
              > postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL PLAIN
              > authentication failed: authentication failure
              > postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL LOGIN
              > authentication failed: authentication failure

              I'm using libsasl2 in Debian Etch (not sure if this is Cyrus or not,
              none of the included documents specify) but either ways, I use sasl with
              pam and pam with mysql.

              ~# cat /etc/postfix/sasl/smtpd.conf
              pwcheck_method: saslauthd
              mech_list: plain login

              # cat /etc/pam.d/smtp
              auth required pam_mysql.so user=postfix passwd=YOURPASS host=127.0.0.1
              db=postfix table=mailbox usercolumn=username passwdcolumn=password
              crypt=1 md5=1
              account sufficient pam_mysql.so user=postfix passwd=YOURPASS
              host=127.0.0.1 db=postfix table=mailbox usercolumn=username
              passwdcolumn=password crypt=1 md5=1

              One other gotcha is that if you're running Postfix in a chroot, you have
              to make sasl put it's socket in the Postfix chroot, otherwise it won't work.

              From /etc/defaults/saslauthd:

              # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
              # Note: See /usr/share/doc/sasl2-bin/README.Debian

              Hope this helps!

              --kj
            • Security Admin (NetSec)
              One of my network devices seems to have issues with its hostname: Unexpected error from e-mail server(state=3): 504 5.5.2 : Helo command
              Message 6 of 8 , Aug 5, 2008
              View Source
              • 0 Attachment
                One of my network devices seems to have issues with its hostname:

                "Unexpected error from e-mail server(state=3): 504 5.5.2 <dazedandconfused>: Helo command rejected: need fully-qualified hostname."


                Appears in my event log of the device when it tries to send logs to my Postfix gateway server. Is there a filter I can add via main.cf to allow just this host/IP address without needed the full hostname (which my device has suddenly not to give :) )

                Thanks in advance!

                Edward Ray

                --
                This mail was scanned by BitDefender
                For more informations please visit http://www.bitdefender.com
              • Sahil Tandon
                ... You can probably use a check_helo_access map in your smtpd_*_checks before you reject_non_fqdn_helo_hostname, but please provide the output of postconf -n
                Message 7 of 8 , Aug 5, 2008
                View Source
                • 0 Attachment
                  Security Admin (NetSec) <secadmin@...> wrote:

                  > One of my network devices seems to have issues with its hostname:
                  >
                  > "Unexpected error from e-mail server(state=3): 504 5.5.2
                  > <dazedandconfused>: Helo command rejected: need fully-qualified
                  > hostname."
                  >
                  > Appears in my event log of the device when it tries to send logs to my
                  > Postfix gateway server. Is there a filter I can add via main.cf to
                  > allow just this host/IP address without needed the full hostname (which
                  > my device has suddenly not to give :) )

                  You can probably use a check_helo_access map in your smtpd_*_checks
                  before you reject_non_fqdn_helo_hostname, but please provide the output
                  of postconf -n and read:

                  http://www.postfix.org/DEBUG_README.html#mail

                  --
                  Sahil Tandon <sahil@...>
                • Noel Jones
                  ... Is this device s IP included in your mynetworks setting? You should list permit_mynetworks before you reject_non_fqdn_helo_hostname . If you don t want
                  Message 8 of 8 , Aug 5, 2008
                  View Source
                  • 0 Attachment
                    Security Admin (NetSec) wrote:
                    > One of my network devices seems to have issues with its hostname:
                    >
                    > "Unexpected error from e-mail server(state=3): 504 5.5.2 <dazedandconfused>: Helo command rejected: need fully-qualified hostname."
                    >
                    >
                    > Appears in my event log of the device when it tries to send logs to my Postfix gateway server. Is there a filter I can add via main.cf to allow just this host/IP address without needed the full hostname (which my device has suddenly not to give :) )
                    >
                    > Thanks in advance!
                    >
                    > Edward Ray
                    >

                    Is this device's IP included in your mynetworks setting? You
                    should list "permit_mynetworks" before you
                    "reject_non_fqdn_helo_hostname".

                    If you don't want to list this device in mynetworks for some
                    reason, you can use a check_client_access map to whitelist the
                    client's IP. See the archives if you need examples.

                    --
                    Noel Jones
                  Your message has been successfully submitted and would be delivered to recipients shortly.